Posted
by
samzenpus
on Monday January 20, 2014 @01:18PM
from the try-us-instead dept.

judgecorp writes "The group of security experts who urged people to boycot the RSA conference (over allegations that the security firm RSA has taken a $10 million bribe from the NSA to weaken the security of its products) have put together a rival conference called TrustyCon just down the road from San Francisco's Moscone Center, where the EMC-owned firm will have its conference at the end of February."

No one is "without sin," but there are some boundaries at which you stop being a normal person who has to bend his principles for the real world and become a complete dick who doesn't deserve to be a respected member of the white hat community.

Anyway, got my W2, so I have to go get back to making my yearly donation to the government; I sure hope they won't blow it on multimillion dollar bribes.

Trustycon sounds like an oxymoron right out of the gate, like someone's idea of a sick joke.

The problem we have is that the industry is defined now, whereas when it was starting out, therewere not entire infrastructures available for every task. Just getting a new mechanism employed byweb servers and web browsers has a huge inertia today. And the industry has made almost zeroheadway in the task of getting people to even sigh e-mail by default, let alone encry

What is killing us is the industry settling for "good enough". SSL is "good enough", with the assumption that CAs won't be compromised. This was true back in the 1990s, but Diginotar and other CAs have shown that the single, ultimate trust model will fail.

Then there are devices. Even though I have a client key for one E-mail address, because iOS requires an Exchange server, no S/MIME for me unless I JB the device. PGP/gpg is doable, but some apps don't like being switched out and start glitching when they get switched back in. Android is better because of utilities that have better OpenPGP support (K9 Mail for example.)

Once app makers and Apple can be convinced to have usable encryption (OpenPGP and S/MIME) on the individual E-mail level, the big hurdle will be getting users to work on webs of trust, or even just signing/decrypting messages. This isn't rocket science, but security is oftentimes tossed in the back seat compared to virtually anything else. It can be done, though. Most people lock their doors before they leave for the day, so getting them to click on the sign/encrypt button may be eventually doable, given the consequences of not doing so.

Agreed, the CAs are a weak spot, which governments and spies can easily co-opt. Single point of trust also become something of ponzi racket, taking your money but still not sure of who you are, and surrendering the keys to the castle upon any governmental whim.

As for the webs of trust, I'm not sure that matters for most people. The concept is cool, but unless you are signing code or some such, it really doesn't matter in everyday life. When I send email to my family members, business associates, etc. and

You know you can generate a certificate in Keychain and distribute that out of band, then send encrypted email using apple mail. Obviously both you and your recipients need to do this if you want to do anything more complicated than simply signing your mail.

The thing that I'm upset about is that Apple still uses the compromised Comodo root for the certificates they use to sign patches with...

You can set the trust level on any certificate in the keychain to "never trust." The problem is that you are going to need to fiddle with it every time a new patch gets pushed out through the app store.

You didn't ask me, but I can still provide an answer. "What has the NSA done to people?"

No frigging clue, because everything done is "secret". You can assume that they have done nothing, and I can assume they have done everything. Both of those are assumptions and neither could be proven.

So has the NSA turned over documents to Police agencies, employers, the IRS, etc.. that have led to investigations or damages? I believe we have enough circumstantial evidence to believe the first and third of those examples have happened. I'm not trying to patronize, but you can look at Parallel investigations and the IRS investigating non-profits for more information. It was impossible to tell if you were defending them or not, so you may already have knowledge of the subjects.

This is why we should all be demanding transparency from the agency and accountability from the whole Government. We don't know what they are doing because they label everything "secret". I find it logical to assume that if they are immoral in one area, we can assume that they are immoral in more areas. Wrong follows wrong, always has and always will.

The same concerns we have over the NSA should exist with a company like RSA who only apologized and told customers to change practices _after_ they were caught taking money from a government agency at the expense of customers. They never refunded a penny to customers either, so they are more than deserving of a boycott.

You didn't ask me, but I can still provide an answer. "What has the NSA done to people?"

No frigging clue, because everything done is "secret". You can assume that they have done nothing, and I can assume they have done everything.

If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.

The root post warns of the unstated repercussions of attending this "honeypot" conference. I want to know what those repercussions are.

If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.

The NSA doesn't care whether you agree or disagree with them. They care about other things. For example, they might care that you once had a phone conversation with someone who once sat on the same bus as someone who is related to a terrorist. If you then disappeared, without having ever disagreed with the NSA, without ever having had anything to do with terrorists as far as you know, who would connect your disappearance with the NSA?

This is wrong on just about ever level. Fact: The NSA is not a Law Enforcement agency, and has no authority to arrest or detain people. We know through leaks that they do provide data to various law enforcement agencies, then those agencies have been instructed to (illegally) reconstruct the data to keep the NSA out of the picture. We know the NSA provided data to the IRS who then audited political groups.

I can see questioning the use of "honeypot conference", or lacking knowledge of what crossing them would lead to. I don't agree with you painting them as innocent because we have enough facts to know they are not innocent. How guilty they are is a valid question.

If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.

The root post warns of the unstated repercussions of attending this "honeypot" conference. I want to know what those repercussions are.

You mean like when people who develop encrypted messaging systems or encrypted phone applications
get added to watch lists [infosecuri...gazine.com] and get harassed every time they enter the country even though they are citizens?

Your link goes to a article that says it is "possible" the guy was put on a watch list but there is no actual evidence of him being put on such a list. Unfounded assumptions do not translate into facts.

You can see if you are on a no flight list by contacting a TSA officer at any airport. If you are stopped and searched beyond normal procedures you can also ask if you are on any other type of list that would prevent you from normal travel between countries.

If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.

Sure they can be kept secret. And we don't know how many people fall into this category. But any such losses would be simply lost in the local mystery that every town has, namely the huge number of missing persons.

There a a vast forest of people missing in which you could hide a lot of "disappeared" people. Someone quietly working in a field without a huge public exposure (whether white hat or black hat) could go missing from his basement lair, get reported, and forgotten by all but his mom and the world would never take notice.

Who knows, perhaps you'll eat some really bad shellfish, or wrap a steel cable around your neck and step on the gas. Or a bunch of illegal drugs will turn up in your car (No idea how it got there? SUUUUUURE!). Perhaps a few classified documents in your briefcase.

I doubt it would be the same thing every time. Some interesting combination of accidents, suicide, unexpected crimes (complete with neighbors saying he seemed so normal), etc.

And surely not everyone. The real crackpots will never be silenced, they d

Thank you for your irrelevant, biased, and fallacy ridden input Cold Fjord. Now that you stopped using your personal karma poor account please create a new named account so that it's easier to ignore you.

Your red herring and false analogy arguments are identical no matter how you log in. Go pound some sand and choke on your master's wanker.

If I'm going to choose between who is more credible, the people providing examples and evidence of what they're doing... or the lawmakers who keep braying that it's all legal... then I'm afraid I'm more inclined to trust the news reports based on the leaks from Snowden.

By rather a considerable margin.

We already know the people defending this have lied about what they really do, which means they're not really deserving of any of our trust.

I'm not particularly inclined to trust anybody affirming or denying anything outright. None of it can be independently verified.

That's not true. We can witness the behaviors of the organization. Note how they started with denial, then moved towards excuses, and now have clammed up entirely. This tells us something about their behavior, and if we assume that behavior makes sense in context with the truth, then we get a glimpse of that truth as well.

The alternate response is that if RSA did knowingly weaken commercial security, then you more or less have to stop trusting them.

And if they didn't Knowingly weaken security, but rather did so unwittingly, then you also have to stop trusting them.If they are that incompetent they had no clue, they probably don't belong in the business.

They only came out and told people to stop using their broken software AFTER Snowden made it known that it was compromised.NIST is pretty much in the same predicament.

Something else many slashdotters may be in a position to do is to vote with their dollars. Even if you can't actually attend or help fund one conference or the other, take note of which companies attend which. Follow the money, and promote those who don't agree with the actions of the NSA and, by extension, with RSA. If attending the RSA conference is a mark against themselves in the eyes of potential customers, fewer companies will attend. If the sponsors and attendees of the new conference get extra busin